Is SharePoint HIPAA Compliant?

SharePoint is HIPAA compliant when the platform is subscribed to as part of an Office 365 or Microsoft 365 Enterprise Plan supported by a Business Associate Agreement, and subject to the platform being configured to comply with the Technical Standards of the HIPAA Security Rule. Provided these conditions are met, SharePoint can be used to collect, store, and share PHI.

The SharePoint platform is based on Microsoft’s OpenXML document standard, hence it works with Microsoft Office seamlessly. It also has most of the functions that Google Drive and Dropbox offer, both of which can be considered HIPAA compliant provided certain conditions are satisfied.

SharePoint, however, is much more powerful as it can be used for intranet sites, internet portals and as a basis for a CRM system. With its extensive range of functions, SharePoint is obviously a good match for healthcare companies, but does the platform have all the required functions and security controls that HIPAA requires?

The first consideration in deciding the viability of a platform for use in healthcare in the U.S. is if the service provider will sign a business associate agreement (BAA) with a HIPAA covered entity or its business associates. If there’s no BAA, an entity cannot use the platform with any protected health information (PHI).

Microsoft is ready to sign a BAA with HIPAA covered entities for Yammer and Office. As for SharePoint, Microsoft mentioned on its official website that SharePoint Online is HIPAA compliant and can be used with Office 365 Enterprise as its BAA for Office 365 Enterprise also covers SharePoint Online.

Can we consider SharePoint HIPAA compliant? Although no software platform is truly HIPAA compliant, SharePoint possesses the required administrative and technical controls to satisfy HIPAA Rules. So, HIPAA covered entities can utilize the SharePoint in a way that complies with HIPAA.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Microsoft will likewise make certain that it fulfills its obligations as a business associate. However, it is the users’ responsibility to follow HIPAA Rules. The platform must be configured appropriately and individual access controls and audit controls must be set. Logs need to be monitored and proper security controls need to be configured. Users also need training on the proper use of the platform and must be made aware of the restrictions of HIPAA.

As long as there is a BAA and the platform is set up and used properly, SharePoint may be regarded as a HIPAA compliant platform for document management, storage and collaboration.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: